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Abstract 

Inspired  by  developments  in  attribute  based  encryption  and  signatures,  there  has  recently  been  a  spurt 
of  progress  in  the  direction  of  threshold  attribute  based  signatures  (t-ABS).  In  this  work  we  propose  a 
novel  approach  to  construct  threshold  attribute  based  signatures  inspired  by  ring  signatures.  Threshold 
attribute  based  signatures,  defined  by  a  ( t,n *)  threshold  predicate,  ensure  that  the  signer  holds  atleast 
t  out  of  a  specified  set  of  n*  attributes  to  pass  the  verification.  Another  way  to  look  at  this  would  be 
that,  the  signer  has  atleast  1  out  of  the  ("  )  combination  of  attribute  sets.  Thus,  a  new  approach  to 
t-ABS  would  be  to  let  the  signer  pick  some  n'  sets  of  t  attributes  each,  from  the  ("  )  possible  sets,  and 
prove  that  (s)he  has  atleast  one  of  the  n'  sets  in  his/her  possession.  In  this  work,  we  provide  a  flexible 
threshold- ABS  scheme  that  realizes  this  approach.  We  also  prove  our  scheme  to  be  secure  with  the  help 
of  random  oracles. 
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1  Introduction 

Attribute  based  signatures(ABS)  is  a  cryptographic  primitive  in  which  users  produce  signatures  based  on 
some  predicate  of  attributes,  using  keys  issued  by  one  or  more  attribute  authorities.  ABS  has  largely  been 
inspired  by  attribute  based  encryption  schemes  mmm •  Attribute  based  systems  are  applicable  in  settings 
where  there  is  a  need  for  a  complex  policy  to  govern  the  access  of  a  document  or  provide  authentication. 
These  systems  are  also  privacy-friendly  since  they  deal  with  the  attributes  of  a  user  and  not  with  any 
direct  identity  that  is  associated  with  the  signer.  In  this  sense,  ABS  is  similar  to  signature  variants  like 
Group  signatures  j3] ,  Ring  signatures  [113  and  Mesh  signatures  [2] .  The  dominant  idea  of  all  these  signature 
primitives  is  that  they  allow  the  signer  fine-grained  control  over  the  amount  of  personal  information  exposed. 
However,  it  is  important  to  note  that  a  valid  ABS  signature  guarantees  that  only  a  person  possessing  the 
required  attributes  to  satisfy  the  predicate  can  produce  the  signature. 

A  notable  feature  of  ABS  is  that,  unlike  other  signature  schemes  attribute  based  systems  are  capable  of 
supporting  complex  predicate  policies.  For  instance,  some  permissions  can  be  approved  only  by  a  person 
who  is:  (((Major)  AND  (in  Army  OR  Navy))  OR  (Captain  AND  in  Operation-Star)  OR  (Commander  AND 
in  Operation-X)) .  Moreover,  a  valid  signature  based  on  the  above  predicate  would  only  indicate  one  of  the 
four  possibilities  for  the  signer:  a)  Major  in  Army  or  b)  Major  in  Navy  or  c)  Captain  in  Operation-Star  or 
d)  Commander  in  Operation-X;  but  it  would  not  reveal  which  of  these  the  signer  actually  is.  Also,  a  person 
who  is  not  any  of  the  four  would  not  be  able  to  produce  a  valid  signature. 

Collusion  resistance  is  an  important  property  of  attribute  based  systems.  This  essentially  means  that 
multiple  parties  cannot  collude  and  combine  all  their  attributes  to  produce  a  valid  signature  if  any  one  party 
could  not  do  it  individually.  For  example,  a  commander  in  the  airforce  and  a  captain  in  operation-X  should 
not  be  able  to  somehow  combine  their  attributes  to  produce  a  valid  signature  for  the  example  predicate. 

Threshold  ABS  is  an  attribute  based  signature  where  the  predicate  (or  the  signing  policy)  is  given  as 
a  (t,  7T*)-threshold  over  a  verification  attribute  set  of  cardinality  n.  The  verification  of  the  signature  ensures 
that  the  signer  has  a  threshold  number  of,  atleast  t,  attributes  in  common  with  the  verification  attribute  set. 

1.1  Related  work 

Work  on  attribute  based  signatures  was  influenced  primarily  by  attribute  based  encryption  primitives.  At¬ 
tribute  based  encryption  took  its  form  from  Sahai  and  Waters  work  in  m,  and  was  later  formalized  by 
Goyal  et  al.  in  j|>]  in  2006.  The  first  formal  notion  of  attribute  based  signatures  was  presented  in  2008  in  the 
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work  of  Maji  et  al.  in  m-  Since  then  there  are  many  ABS  schemes  that  have  come  into  literature.  Maji 
et  al.' s  ABS  scheme  supported  predicates  having  AND,  OR  and  threshold  gates,  but  the  security  of  their 
scheme  is  in  the  generic  group  model.  Earlier,  Khader  in  Hi  introduced  attribute  based  group  signatures, 
which  find  applicability  in  settings  where  one  might  want  additional  credentials  from  a  member  of  a  group 
and  also  insist  on  collusion  resistance. 

Li  and  Kim  in  [12]  introduced  the  notion  of  attribute  based  ring  signatures.  They  have  developed  two 
schemes  which  they  have  shown  to  be  secure  based  on  the  standard  computational  Diffie-Hellman  assumption. 
However,  their  scheme  is  restricted  to  the  selective  unforgeability  model.  In  addition,  their  ABS  schemes 
support  only  those  predicates  with  conjunctions,  i.e.  an  (n,n)  threshold,  therefore,  even  though  the  signer’s 
identity  remains  concealed,  the  exact  attributes  of  the  signer  are  exposed.  Shahandashti  and  Safavi-Naini 
more  concretely  formalized  the  notions  of  threshold- ABS  and  its  properties  in  D33-  Here,  they  not  only 
gave  the  definitions  and  features  of  t-ABS  schemes  but  they  made  several  improvements  on  [12]  and  gave 
ABS  schemes  supporting  a  (k,n)  threshold.  Here  k  indicates  the  threshold  and  n  the  number  of  attributes 
in  the  verification  attribute  set.  Although  this  scheme  was  more  expressive,  it  was  not  efficient  since  the 
message  was  signed  separately  using  each  and  every  secret  attribute  possessed  by  the  user.  More  recently, 
Li  et  al.  in  m  propose  two  new  and  efficient  threshold  ABS  schemes,  one  claimed  to  be  secure  in  the 
random  oracle  model  and  the  other  in  the  standard  model.  The  work  in  m  is  extended  by  Kumar  et  al.  in 
uni  to  construct  a  bounded  multi-level  threshold  ABS  scheme.  Also,  another  recent  work  of  Maji  et  al.  in 
m  gives  a  general  framework  for  the  construction  of  ABS  schemes  and  some  practical  instantiations  based 
on  standard  assumptions.  Their  scheme  uses  monotone  span  programs  to  incorporate  the  access  structure 
and  also  make  use  of  non-interactive  witness  indistinguishability  (NIWI)  to  add  to  the  anonymity  of  the 
signer.  The  authors  also  introduce  a  new  generic  primitive  called  credential  bundle  which  is  used  in  the  key 
generating  phase  to  bundle  the  attributes  of  the  signer;  this  helps  in  making  their  scheme  collusion  resistant. 

1.2  Our  Contribution 

This  work  provides  a  new  perspective  to  threshold  attribute  based  signatures  using  the  ring  concept.  Any 
threshold  attribute  based  signature  ensures  that  the  signer  possesses  atleast  t  out  of  the  specified  signing 
attributes,  say  n*  in  number.  From  an  other  perspective,  this  is  equivalent  to  saying  that  the  signer  has 
atleast  1  out  of  the  ("  )  combination  of  the  attribute  sets.  So,  in  our  scheme  we  let  the  signer  pick  some  n' 
sets  of  t  attributes  each  from  the  (n  )  possible  sets,  and  prove,  using  a  ring  signature,  that  (s)he  has  atleast 
one  of  the  n!  sets  in  his/her  possession.  Our  scheme  is  proved  secure  by  reduction  to  the  modified  CBDH 
assumption  with  the  help  of  random  oracles.  We  show  both,  unforgeability  of  the  signature  as  well  as  the 
anonymity  of  the  attribute-set  used  in  signing. 

We  also  show  that  our  approach  to  t-ABS  provides  an  interesting  way  for  the  signer  to  control  privacy 
in  situations  where  the  signing  policy  (threshold  predicate)  is  determined  by  an  authority  other  than  the 
signer.  Additionally,  our  scheme  can  provide  a  constant-size  signature  if  the  signer  chooses  to  show  the  exact 
attribute  set  (s)he  uses  for  the  signature.  However,  if  attribute  privacy  is  a  strongly  desired  property  then 
our  scheme  can  be  used  to  give  signatures  that  can  provide  a  balance  between  signer’s  attribute  privacy  and 
the  size  (and  number  of  components)  in  the  signature. 

Organization  of  the  paper.  We  begin  with  the  preliminaries  in  the  next  section.  Then,  in  Section [3]  we 
present  the  construction  of  a  t-ABS  scheme  in  the  novel  approach  we  have  just  mentioned.  This  is  followed 
by  the  proof  of  security  of  the  scheme  in  the  random  oracle  model. 

2  Preliminaries 

In  this  section  we  present  some  of  the  preliminaries  required  and  also  the  construction  of  the  efficient  threshold 
ABS  scheme  by  Li  et  al  m- 

2.1  Bilinear  Pairing 

Let  Gi,  G2,  G t  be  multiplicative  groups  of  prime  order  p.  The  elements  51  £  Gi  and  52  £  G2  are  generators 
of  Gi  and  G2  respectively.  A  bilinear  pairing  is  a  map  e  :  Gi  x  G2  — >  Gt  with  the  following  properties: 

1.  Bilinear:  e(gia,g2b)  =  e(gi,g2)ab  for  all  gi  £  Gi ,52  £  G2,  where  a ,b  £  Zp. 

2.  Non-degenerate:  There  exists  g\  £  Gi  and  172  £  G2  such  that  6(51,52)  7^  1;  in  other  words,  the  map 
does  not  send  all  pairs  in  Gi  x  G2  to  the  identity  in  Gt- 

3.  Computability:  There  is  an  efficient  algorithm  to  compute  6(51,52)  for  all  51  £  Gi  and  52  £  G2. 
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2.2  Lagrange  Interpolation 

Let  q{x)  be  a  d  —  1  degree  polynomial  with  each  co-efficients  in  Zp  .  Then,  given  any  set  of  d  points  on  the 
polynomial  {q(i)  :  i  £  S},  where  S  is  a  set  of  indices  such  that  151  =  d ,  we  can  use  Lagrange’s  interpolation 
to  find  q(j)  for  any  j  £  Zp  as  follows:  (A i}s(j)  is  termed  the  Lagrange  coefficient) 

Q(j)  =  ?(*)Ahs(i)  .  where  A t,s(j)  =  ~~7 

ies  1  J 

2.3  Modified  Computational  Bilinear  Diffie-Hellman  Assumption. 

We’ll  state  the  modified  computational  bilinear  Diffie-Hellman  problem  [5],  as  we  use  it,  to  prove  the  security 
of  our  scheme. 

Let  e  :  G  x  G  — >  Gt  be  an  efficiently  computable  bilinear  map,  where  G  has  prime  order  p.  The 
modified  computational  bilinear  diffie-hellman(m-CBDH)  assumption  is  said  to  hold  in  G  if,  given  elements 
{ P,aP,bP,cP,a~1P },  then  no  probabilistic  polynomial-time  adversary  can  compute  e(P,  P)abc  with  non- 
negligible  advantage,  where  a,  b,  c  £#  Z*  and  generator  P  £  G  are  chosen  independently  and  uniformly  at 
random. 


2.4  Forking  Lemma 

We  make  use  of  the  forking  lemma  to  give  the  proof  of  unforgeability  of  the  threshold  attribute  based 
signature  that  we  propose  in  Sectior{3]  Here,  we  will  first  present  the  conditions  that  are  necessary  for  a 
ring  signature  to  be  considered  generic  and  then  define  the  forking  lemma  for  generic  ring  signatures.  The 
definitions  are  borrowed  from  those  given  by  Herranz  et  al.  in  [Tj . 

Generic  Ring  Signature.  We  denote  by  Lf(-),  a  cryptographic  hash  function  that  outputs  k  bits,  where  k 
is  the  security  parameter.  Consider  a  group  of  n  ring  members.  Now,  given  the  input  message  to ,  a  generic 
ring  signature  scheme  produces  a  tuple  (to,  Pi,  •  •  ■  ,  Rn,  hi,  ■  ■  ■  ,  hni  a),  where  Pi,  ■  •  •  ,  Rn  (randomness)  take 
their  values  randomly  in  a  large  set  G  in  such  a  way  that  Ri  7^  Rj  for  all  *  7^  j,  hi  is  the  hash  value  of 
(to,  Pi),  for  1  <  i  <  n,  and  the  value  cr  is  fully  determined  by  Pi,  •  •  ■  ,  Rn,  hi,  •  •  •  ,hn  and  the  message  to. 

Another  required  condition  is  that  no  Pi  can  appear  with  probability  greater  than  2/2k  ,  where  k  is  the 
security  parameter.  This  condition  can  be  achieved  by  choosing  the  set  G  as  large  as  necessary. 


Theorem  2.1  (Forking  lemma)  The  forking  lemma  for  adaptive  chosen  message  attacks  with  respect  to 
generic  ring  signature  schemes,  as  given  in  E  is  as  follows.  Let  A  be  a  probabilistic  polynomial  time  Turing 
machine  whose  input  only  consists  of  public  data.  We  denote  by  qh  and  qs,  the  number  of  queries  that  A 
can  ask  to  the  random  oracle  and  to  some  real  signers  of  the  ring,  respectively;  we  also  denote  by  PqhtU  the 
number  of  n-permutations  of  qh  elements,  i.e  Pqh>n  =  qh{qh  —  1)  ■  ■  ■  {qh  ~  n  +  !)■  Assume  that,  within  time 
bound  T,  A  produces  with  non-negligible  probability  e,  a  valid  ring  signature  (to,  R±,R-2,  ■  ■  •  ,  P„ ,  hi,  ■  ■  ■  hn,  a). 
Suppose,  the  valid  ring  signature  can  be  simulated  with  a  polynomially  indistinguishable  distribution  of  prob¬ 
ability,  without  knowing  any  of  the  secret  keys  of  the  ring  ,  within  a  time  bound  of  Ts .  Then  there  exists 
another  probabilistic  polynomial  time  Turing  machine  which  can,  by  a  replay  of  attacker  A  where  the  inter¬ 
actions  with  the  signer  are  simulated,  produce  two  valid  ring  signatures  (to,  Pi  ,  P2,  •  •  •  ,  Rni  hi,  ■  ■  ■  hn,  a)  and 
(to,  Pi,  P2,  •  •  •  ,  Rn,  h'i,  ■  ■  ■  h'n,  a' )  such  that  hj  7^  hi,  for  some  j  £  {1,  •  •  •  ,  n}  and  hi  =  h!i  for  all  i  =  1,  •  •  •  ,  n 


such  that  i  7^  j,  in  expected  time  T'  < 


144823(P,h,„)(T+qsTs) 


with  non-negligible  probability. 


2.5  Attribute-Based  Signature 

Attribute  based  signature  schemes  consist  of  four  algorithms:  setup,  key  generation,  signing  and  verification 
algorithms,  defined  as  follows: 


Setup  is  run  by  a  central  authority.  It  takes  as  input  the  security  parameter  (d),  and  gives  as  output  the 
set  of  public  parameters  denoted  by  params  and  a  master  secret  key,  msk. 

Key-Gen  (or  Extract)  is  run  by  the  key  generating  authority.  It  takes  as  input  msk  and  a  set  of  attributes 
(from  the  user/signer)  to  produce  D,  a  corresponding  set  of  private  keys  for  the  signer. 


Sign  algorithm  takes  the  signer’s  private  keys  V,  a  predicate  T,  and  a  message  to  to  produce  a  signature 
a. 


Verify  algorithm  ensures  that,  a  signature  a  on  a  message  m  is  pronounced  as  valid  if  and  only  if  the 
signer  possesses  attributes  that  satisfy  the  predicate  T. 
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2.6  Threshold  Attribute-Based  Signature 

Inorder  to  realize  threshold-attribute  signatures  in  this  new  setting,  we  propose  the  following  model  and 
security  game. 

Definition:  This  scheme  consists  of  the  following  four  algorithms: 

Setup  is  run  by  a  central  authority.  It  takes  as  input  the  security  parameter  (d),  and  gives  as  output  the 
set  of  public  parameters  denoted  by  params  and  a  master  secret  key,  msk. 

Key- Gen  (or  Extract)  is  run  by  the  key  generating  authority.  It  takes  as  input  msk  and  a  set  of  signer 
attributes  {Up)  to  produce  a  corresponding  set  of  private  keys,  T>,  for  the  signer. 

Sign  algorithm  takes  the  signer’s  private  keys  U ,  a  fixed  threshold  t  (integer),  an  attribute  subset  U* ,  and 
a  message  m  to  produce  a  signature  a.  The  Sign  algorithm  also  outputs  (as  part  of  the  signature),  a 
set  T  consisting  of  n'  subsets  (1  <  n'  <  ("  ))  of  attributes  T)  (T  =  {Ti,T2,  •  •  •  $Tn>})  such  that  each 
T)  satisfies  |T)|  =  t  and  T)  C  U*  i.e.  every  subset  Tj  has  threshold  number  of  attributes  and  all  of  these 
attributes  are  present  in  U*  . 

Verify  algorithm  is  run  by  a  verifier.  It  outputs  1  when  a  signature  a  on  a  message  m  is  valid  i.e  if  one  of 
the  attribute  subsets  Tj  was  used  in  obtaining  the  signature. 

Correctness:  A  threshold- ABS  scheme  must  satisfy  the  correctness  property,  i.e.  a  signature  generated 
by  a  signer  with  attribute  set  Up  must  pass  the  verification  test  for  the  given  U*  and  t  if  | Up  fl  U* \  >t.  More 
precisely,  there  exists  an  attribute  subset  Tj  £  T  such  that  Tj  C  Up.  (and  by  definition  |T)|  =  t  and  hence 
\Up  n  17*|  >  t) 

Unforgeablility:  It  is  required  for  the  above  threshold  attribute  based  signature  scheme  to  be  existentially 
unforgeable  under  chosen  attribute  and  message  attacks  as  follows: 

Setup  phase:  The  challenger  C  runs  the  Setup  algorithm  and  gives  the  common  public  parameters  params 
to  adversary  A. 

Query  phase:  Adversary  can  perform  polynomially  bounded  number  of  queries  in  an  adaptive  manner 
(interactively)  as  described  below. 

-  Hash.  Adversary  is  allowed  to  query  all  the  hash  functions. 

-  KeyGen.  A  is  allowed  to  query  the  keys  for  any  set  of  attributes  Up. 

-  Sign.  A  requests  for  the  signature  of  a  signer  with  (any)  attribute  set  Up  on  any  message  m  by 
specifying  a  threshold  t'  on  an  n— element  attribute  set  U* . 

Forgery  phase:  At  the  end  of  the  game,  A  outputs  a  forgery  a  with  respect  to  the  set  of  attributes  U* , 
threshold  t"  and  message  m'  where  a  contains  n'  attribute  subsets  Tj  i.e.Ti,  T2,  •  •  •  ,Tn>  such  that 
VTj,  |Tj|  =  t",  Tj  C  U'  and  1  <  n'  <  ("*). 

A  wins  the  game  if  the  following  hold: 

1.  a  is  a  valid  signature  with  respect  to  U*,t",m! . 

2.  for  all  KeyGen  queries  on  attribute  set  Up,  we  have  | Up  D  U*  \  <  t" . 

3.  for  all  Sign  queries  on  message  m  using  signer  attributes  Up,  m  ^  m!  or  \UptlU*\  <  t". 

If  no  polynomial  adversary  has  a  considerable  advantage  in  the  above  game,  we  say  that  the  threshold- ARBS 
scheme  is  existentially  unforgeable  against  chosen  attribute  and  message  attacks. 

Collusion-resistance.  Note  here  that  the  above  game  ensures  the  property  collusion  resistance.  This  is 
because  the  adversary  could  have  queried  for  the  secret  keys  of  all  elements  in  U'  from  KeyGen  with  different 
attribute  sets  Up  as  input,  such  that  U'  C  (Jy3  Up.  Thus,  the  game  guarantees  that  no  colluding  group  of 
users  can  create  a  signature  that  could  not  have  been  created  by  any  one  of  the  colluders  independently. 
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Weak  signer  attribute  privacy.  This  is  an  additional  property  that  some  threshold-ABS  schemes  pro¬ 
vide.  It  says  that  the  threshold  attribute  based  signature  does  not  reveal  any  information  about  the  attributes 
of  the  signer  other  than  saying  the  signer  has  t  of  the  attributes  in  U*.  In  our  t-ARBS  scheme,  we  define 
the  scheme  to  have  weak  signer  attribute  privacy  if  the  threshold  attribute  based  signature  does  not  reveal 
any  information  about  the  attributes  of  the  signer  except  those  attributes  that  the  signer  chooses  to  reveal 
in  the  n'  chosen  subsets  (of  the  signing  policy  attribute  set  U*)  .  To  be  more  specific,  given  the  n'  subsets 
of  attributes,  the  verifier  must  be  unable  to  deduce  which  subset  was  used  by  the  signer  in  order  to  give  the 
signature. 

3  New  t-ABS  Scheme 

In  this  section  we  propose  a  novel  scheme  for  threshold  attribute  based  signatures  which  is  conceptually 
based  on  ring  signatures.  Here  is  a  brief  sketch  of  the  idea  before  we  actually  present  the  scheme. 

Intuition.  Any  threshold  attribute  based  signature  ensures  that  the  signer  possesses  atleast  t  out  of  the 
specified  signing  attributes,  say  n*  in  number.  Another  way  to  look  at  this  would  be  that,  the  signer  has 
atleast  1  out  of  the  ("  )  combination  of  the  attribute  sets.  Thus,  a  new  approach  to  the  same  would  be, 
for  the  signer  to  pick  some  n'  sets  of  t  attributes  each  from  the  (”  )  possible  sets,  and  prove  that  she  has 
atleast  one  of  the  n'  sets  in  her  possession.  Note  here  that  1  <  n'  <  ("  ) .  If  n'  >  2,  it  would  be  sufficient 
to  prove  that  the  signature  is  valid  and  the  signer  has  the  specified  attributes,  moreover  it  would  also  give 
a  reasonable  degree  of  anonymity  and  not  reveal  the  exact  credentials  of  the  signer.  If  the  actual  predicate 
is  an  AND,  then  t  =  n* ,  which  means  n'  =  1  and  the  signer  can  prove  the  possession  of  the  complete  set  of 
attributes.  On  the  other  hand,  if  the  predicate  is  a  simple  OR,  then  t  =  1  and  again  the  signer  can  choose  an 
appropriate  n!  depending  on  the  amount  of  privacy  she  wishes  to  have  and  then  produce  a  signature.  With 
this  intuition,  we  are  ready  to  see  the  details  of  the  scheme. 

3.1  Construction 

We  present  the  construction  for  our  scheme  which  is  based  on  the  ring  signature  proposed  in  |3).  Here, 
for  each  set  of  attributes  in  the  chosen  n! ,  we  aggregate  the  attributes  by  summing  them  up  and  form  n' 
components,  one  for  each  set.  One  of  these  components  has  the  signer’s  private  key  embedded  in  it,  making 
it  a  ring  signature.  During  the  verification  phase  the  signer’s  component  also  takes  care  of  eliminating  all 
the  attribute  sets  except  the  one  which  is  actually  used  for  signing,  thus  proving  the  possession  of  one  among 
the  chosen  n!  attribute  sets.  Our  construction  also  allows  the  key-generating  authority  to  revoke  anonymity 
if  required. 

3.1.1  Setup 

Let  U  =  {A\,  A2,  ■  ■  ■  ,An}  denote  the  universe  of  attributes  (attributes  are  denoted  as  A.t).  Let  t  denote  the 
threshold  that  a  user  needs  to  satisfy  and  U*  denote  the  set  of  attributes  in  the  predicate.  If  \U*\  =  n*  then, 
a  user  must  have  atleast  t  out  of  the  n*  attributes  to  be  able  to  produce  a  valid  signature  on  a  message.  Let 
Gi  denote  a  cyclic  additive  group  of  prime  order  p  on  which  the  bilinear  function  is  efficiently  computable. 
Let  e(-,-)  be  the  bilinear  function,  e  :  Gi  x  Gi  ->  G2.  Let,  Hi,  H2 ,  H3,  and  Hi  be  four  hash  functions 
defined  by,  Hi  :  {0, 1}*  ->  {0, 1}*,  H2  :  {0, 1}*  ->  Gi,  H3  :  {0, 1}*  -X  Gi,  and  H4  :  {0, 1}*  -X  Z*.  Let  the 
generator  of  the  group  be  P  Gr  Gi,  secret  key  be  a  Gr  Z*,  and  denote  7  =  e(P,  P)  G  G2.  The  master  secret 
key  ( msk )  is  a  and  Ppub  =  aP.  The  public  parameters  of  the  system, 

params  =  (e,  Gi,  G2,  Hi(-),  H2(-),  H3{-),  H4(-),  P,  Ppub) 

3.1.2  Key  Generation 

D  x—  Key Gen(U p,  ID,  msk).  Let,  Up  be  the  set  of  attributes  that  a  user  /3  has.  Let  D  denote  the  set  of 
keys  given  to  the  user.  Say,  \Up\  =  np.  Here,  the  attribute  authority  picks  a  rp  &R  Z*  and  then  computes 
the  following: 

1.  Set  D0  =  rpP  and  D4  =  r^P 

2.  <jG  =  Hi(Up,  ID) 

3.  Choose  w  Gr  Z*  and  set  W  =  wcP 

4.  Set  D2  =  r~^W 

5.  Then,  Qi  =  H2(AZ)  and  Di  =  rp  ■  a  ■  Qi  (VA;  G  Up) 

The  private  key  returned  is,  D  =  {{Di} Dq,  Di,  D2,lu}. 
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Key  verification 

The  user,  who  on  receiving  the  private  keys  corresponding  to  his/her  attributes  can  verify  the  keys  as  follows: 


e(A),  D\)  =  7 

e(D0,D2)  =  e^H^H^UpJD))) 

&[Di,D  i)  —  &(QiiPpub) 


3.1.3  Sign 


cr  <—  Sign(f7*,  t,  D,m,params).  The  signer  who  possesses  atleast  t  of  the  attributes  in  U*  must  be  able 
to  produce  a  valid  signature  on  a  message  to.  Let  Tp  be  the  t-element  subset  of  attributes  of  U* ,  that 
the  user  chooses  inorder  to  generate  the  signature,  i.e  Tp  C  U*  C I  Up  such  that,  \Tp\  =  t.  Let  T  be  a 
collection  of  n'  subsets  of  attributes  from  U*  such  that  each  of  these  subsets  has  a  cardinality  of  exactly 
t  and  no  two  of  them  are  equivalent.  Let  us  assume  that  the  sets  in  T  are  indexed  by  values  from  1 


to  n';  and  T*  denotes  the  subsets  of  U*  that  constitute  T.  So,  the  signer  chooses  {Tj}ie{i,...  where 
Ti  C  U*  ,  \Ti\  =  t  ,  Tj  ^  Tj  and  2  <  n'  <  ("  ).  Without  loss  of  generality,  we  can  assume  that  the  set  Tp 
is  present  in  T  and  is  at  a  random  index  s  where  1  <  s  <  n! .  Thus,  we  refer  to  Tp  as  Ts  in  our  subsequent 
discussions.  Hence,  Ts  is  the  set  used  for  generating  the  signature,  and  the  remaining  (n1  —  1)  sets  are  used 
to  form  the  ring  (to  provide  anonymity).  Then,  the  signer  does  the  following  computations  to  generate  the 
signature: 

The  signer  first  picks  n!  random  values,  r,  Z*  for  i  =  {1,  •  •  ■  ,  n'},  and  an  r*  Z*  and  then  proceeds 
to  generate  the  signature  on  m  as  follows: 


1.  Set  Vq  =  r*Do ,  V\  =  r*~lD\  and  =  r*~1D2 

2.  Ui  £r<Gi,  for  i  =  {1,  ■  ■  •  ,  n'}\s 

3.  hi  =  H4(m,Ui,Ti,V0,V1,V2),  for  all  i  e  (1,  -  -  -  ,n'}\s. 


5.  We  define,  hs  =  H^m,  USl  Ts,  Vq,  Vi),  in  a  manner  consistent  to  that  of  the  definition  of  the  hi  values. 

6.  We  set,  V  =  r*(rs  +  hs)  Di 


The  final  signature  cr  is  given  as: 


It  is  important  to  note  in  the  algorithm  that  the  size  of  the  signature  is  independent  of  the  number  of 


attributes,  but  depends  more  on  the  degree  of  privacy  that  the  signer  prefers.  This  is  because,  n'  is  a  factor 
that  the  signer  chooses,  depending  on  the  amount  of  information  the  signer  wishes  to  reveal  and  does  not 
depend  on  the  size  of  U*  or  t. 

3.1.4  Verify 

Any  user  can  verify  the  signature  by  performing  the  following  computations: 


e(V0  ,  Vl)  =  7 

e(V0  ,  V2)  =  e(P,  H3(uj)) 


The  signature  is  valid  only  if  all  the  three  checks  are  satisfied,  in  all  other  cases  it’s  considered  to  be  invalid. 
Correctness  of  the  above  three  checks  can  be  found  in  Appendix (|A|) . 


4  Security 

We  will  show  that  our  threshold  attribute  based  signature  scheme  is  existentially  unforgeable  with  respect  to 
the  chosen  attribute  and  message  attack  as  defined  in  Section [2. 6|  Then,  we  will  also  show  that  our  scheme 
satisfies  the  weak  signer  attribute  privacy  property. 
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4.1  Unforgeability 

Theorem  4.1  (Unforgeability)  In  the  random  oracle  model,  if  there  exists  an  algorithm  A  that  can 
win  the  existentially  unforgeable  chosen  attribute  and  message  attack  game,  with  non-negligible  probabil¬ 
ity  e,  and  create  a  valid  ABS  in  polynomial  time  T,  by  making  at  most  qH1,qH2>qH3,qHi  queries  to  the 
random  oracles  H2,Hi,Hi,  H3,  and,  qu  and  qs  Key-Generation  and  Sign  queries  respectively.  Then  the 
modified- computational  bilinear  Diffie- Heilman  (m-CBDH)  problem  can  be  solved  within  expected  time  T'  < 

144823(P0^(T+gsT„)  ^ere  Q  =  +  +  ^  +  ^  +  qk)_ 

Proof:  The  proof  for  the  unforgeability  (refer  Theorem (|4.1[))  of  our  threshold  attribute  based  signature 
follows,  to  some  extent,  that  given  by  Chow  et  al.  in  U-  In  the  subsequent  discussion  we  will  show  the 
reduction  of  our  scheme  to  solving  the  CBDH  problem. 

Inorder  to  solve  the  m-CBDH  problem,  the  challenger  C  receives  the  instance  {P,aP,bP,cP,a~1P}  and 
has  to  finally  produce  e(P,  P)abc  as  the  output.  The  challenger  will  run  A  as  a  subroutine  in  the  existential 
unforgeability  game.  As  defined  in  the  game,  A  can  make  queries  to  the  hash  functions;  although  the  hash 
outputs  will  be  random,  the  challenger  C  will  maintain  separate  lists  of  the  query  and  response  of  each  oracle 
in  order  to  simulate  proper  collision-resistant  hash  functions  and  avoid  inconsistencies.  Also,  in  the  proof, 
we  make  the  assumption  that  all  the  H2(Ai)  queries  are  made  before  they  are  used  in  any  further  oracle 
queries. 

Setting.  First,  the  challenger  C  sets  the  system  public-key  as  Ppub  =  clP  and  master  secret  as  a  =  a.  Note 
that  C  does  not  know  a ,  b  or  c,  but  it  will  simulate  those  values  during  its  responses  to  A,  with  the  help  of 
aP ,  bP,  cP  and  a~1P. 

Hi  queries.  Queries  to  the  Hi  oracle  are  answered  by  the  challenger  as  follows.  C  picks  an  u>  G  Z* 
uniformly  at  random,  and  then  checks  if  this  value  is  present  in  the  list  L\.  If  it  is  present,  then  C  re-picks 
w  repeating  the  process  until  it  gets  a  new  value.  Then  the  tuple  <  Up,ID,co  >  is  added  to  list  L\. 

H2  queries.  When  A  makes  queries  to  the  hash  function  H2(-)  with  input  as  some  attribute  A,,  C  does 
the  following.  If  A,-  was  already  queried  before,  the  hash  value  will  be  in  the  list  L2  and  C  will  search  and 
give  the  value  stored  in  the  list.  Otherwise,  C  first  picks  an  si  G  Z*  uniformly  at  random,  and  then  checks  if 
this  value  is  present  in  the  list  L2.  If  it  is  present  C  re-picks  st  repeating  the  process  until  it  gets  a  new  value. 
Then,  it  sets  Qi  =  H2{Ai)  =  Si(bP).  After  each  response,  C  makes  sure  to  save  the  tuple  <  Ai,Si,Qi  >  in 
the  list  L2,  if  it  was  not  already  present. 

H3  queries.  List  L3  is  used  to  maintain  the  queries  and  responses  of  this  oracle.  When  an  input  oj  is 
queried  for  its  hash,  the  list  L3  is  looked  up  to  see  if  a  matching  entry  already  exists,  if  it  is  found  the 
corresponding  value  is  returned.  In  all  other  cases,  an  w  Gr  Z*  is  picked  uniformly  at  random  and  W  is  set 
to  be  W  =  wcP.  The  tuple  of,  <  uj,W,w  >  is  added  to  the  list,  L3. 

Key-Gen  queries.  Adversary  A  is  allowed  to  request  for  the  private  keys  on  any  set  of  attributes  Up. 
When  the  challenger  gets  a  query,  C  first  picks  an  r7  Gr  Z*,  at  random.  Assume,  rp  =  r1/a.  Then,  the  rest 
of  the  values  are  set  as  follows: 

1.  Set,  Dq  =  rpP  =  (r7a_1)P  =  r~/(a~1P)  and  D\  =  r~^lP  =  (r7a-1)-1P  =  ( r~1a)P  =  r~1(aP) 

2.  Now,  w  =  Hi(Up,  ID) 

3.  W  =  H3(lo),  this  is  set  as  W  =  wP  (w  Gr  Z*) 

4.  Tuple  <  Up,  ID,u  >  is  added  to  Li  and  tuple  <  uj,  w,  W  >  is  added  to  L3. 

5.  Compute,  D2  =  r^W  =  r~1a(wP)  =  r~1w(aP) 

6.  VAj  G  Up,  Di  =  rp  ■  a  ■  Qi  =  r1a~1a{sibP)  =  r1Si(bP) 

The  final  key  is  given  as,  D  =  {{A}ie{ A),  A,  D2,ui}. 

In  each  of  the  hash  oracle  queries,  all  the  intermediate  random  values  that  have  been  chosen  by  the 
challenger  are  added  to  the  respective  lists  along  with  the  computed  components  and  final  responses. 

Hi  queries.  Whenever  queries  to  Hi(-)  are  made,  C  first  looks  up  entries  in  L4  to  see  if  the  same  query 
was  made  previously.  If  a  matching  entry  is  found,  it  gives  the  corresponding  saved  hash  value,  otherwise, 
it  just  picks  a  random  value  from  Z*  and  gives  it  as  output,  storing  the  input  and  response  as  a  tuple  in  L4. 
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Sign.  Signature  requests  are  answered  by  C  as  follows: 

It  picks  a  Ts  at  random  first.  Then  selects  n!  random  values,  Gr  Z*  for  i  =  {1,  •  •  •  ,  n'},  and  computes 
the  following: 

1.  V0  =  (r*)-1D0  =  (rT\rp')P , 

Vx  =  (r*)~1D1  =  (r*rp>)~1P, 

V2  =  (r*)~1D2  =  (r*rp>)~1H3(uj) 

2.  Add  the  values  rp,Up,  Do,  Di,  D2,TS  to  the  sign  oracle  list. 

3.  Picks  ^  Gr  Z*  and  sets0  V  =  r*rp<  ■  z  •  ( aP ) 

4.  For  i  €  {1,  •  •  ■  ,  n'}\s 

-  Selects  Ui  Gr 

-  Gets  hi  =  H±(m,  Ui,  T),  V0,  V),  V2)  and  saves  hi  in  list  L4 


6.  V  =  r*  1rp>z(aP) 

7.  Save  the  tuple  <  h!s ,  Us,Ts,Vo,  V\,V2,  V  >  in  L4. 

8.  a  =  {{rji={  1,. ,  {?/*}»={!,...  ,  V  ,  V0  ,  Vi  ,  V2  ,  uj} 

Proof  for  the  correctness  of  this  signature  can  be  found  in  Appendix  (|b|). 

Forgery.  Finally,  A  will  output  er  =  {{T,,  ,n<}  ,  V  ,  Vo  ,  Vi  ,  V2  ,  w},  the  forged  signature  on  the 

message  m. 


Solving  CBDH.  From  the  forking  lemma  for  generic  ring  signature  schemes  [7]  it  follows  that,  if  with 
non- negligible  probability,  A  can  give  a  valid  forged  signature  in  the  above  interaction  within  time  T 4, 
then  we  can  construct  another  algorithm  A ’  which  within  time  2T4  can  output  two  signatures,  er  = 
{{Ti,Ui}i={h...>n>},  V,  V0,Vi,V2,u};  and  er'  =  {{!*,  Ui}i={h...  >n>},  V' ,  Vq,V{,\ ^,ui}  also  with  non-negligible 
probability.  It  also  follows  from  the  lemma  that  with  non-negligible  probability,  we  can  have  hi  =  h[,  for  all 
i  G  {1,  •  •  •  ,  Using  this  C  can  solve  for  e(P,  P)abc  as: 


(  e(V,V2) 
\e(V',V') 


-1  (hs  —  h's) 


(  E 

A.eTs 


Now,  given  A'  derived  from  A,  C  can  solve  for  e(P,  P)abc. 

A  more  detailed  derivation,  showing  the  computations  involved  in  extracting  the  solution  for  CBDH  can 
be  found  in  the  Appendix (|B.1|).  ■ 


4.2  Signer  Attribute  Privacy 

In  this  section  we  will  define  what  privacy  is  and  prove  that  our  scheme  provides  privacy(  or  anonymity)  to 
the  signer’s  attribute  subset  used  in  the  signature. 

We  define  signer  ambiguity  for  our  scheme  in  a  manner  similar  to  the  one  given  in  H]  for  ring  signatures. 
An  attribute-based  signature  scheme,  using  the  ring  approach  as  defined  by  us,  for  the  threshold  access 
structure,  is  said  to  have  unconditional  signer  attribute-set  ambiguity  if  for  any  group  of  n '  attribute  subsets 
{T},  where  T  =  (J  X)  ,  VI  <  i  <  v!  ,  Tt  C  U*  and  |T)|  =  t  ,  any  message  m  and  any  signature  a,  where 
a  =  Sign{m,t,U *);  any  verifier  A  even  with  unbounded  computing  resources,  cannot  identify  the  actual 
attribute  subset  of  the  signer  (used  in  the  signature)  with  probability  better  than  a  random  guess.  That  is, 
A  can  output  the  actual  signer’s  chosen  attribute  subset  (indexed  by  Ts)  with  probability  no  better  than 
1  In!. 

Theorem  4.2  (Weak  signer  attribute  privacy)  Our  threshold  attribute-based  signature  has  weak  signer 
attribute  privacy  property. 


1  Note:  This  cannot  be  done  by  a  normal  signer  since  rai  will  only  be  available  to  the  attribute  authority. 


Proof:  We  first  claim  that  all  the  Ufs  are  uniformly  distributed.  This  is  because,  each  Ui  (including  Us) 
is  obtained  via  multiplying  the  components  with  a  value  r*,  that  is  chosen  uniformly  at  random.  So,  we  can 
say  that  the  Ufs  by  themselves  (as  independent  entities)  don’t  leak  any  information.  Another  component  of 
the  signature,  to,  is  a  hash  of  the  attributes  of  the  user,  but  since  it’s  a  hash  and  is  created  even  before  Ts 
is  chosen,  it  cannot  reveal  anything  about  Ts.  Also,  the  other  values,  Vo,  Vj  and  V2  are  unrelated  to  Ts.  So, 
it  remains  to  be  seen  if  V  gives  away  any  information  about  Ts  with  the  help  of  the  bilinear  map  function 
along  with  any  of  the  given  components  and  public  values. 

So,  we  will  consider  if  V  =  r*(rs  +  /is)E,4  eT  Dt,  leaks  anything  about  Ts.  Let  us  focus  on  V  — 
f*hs  Di  —  r  ^s^AiGTs  Di.  The  hs  component  can  be  obtained  publicly  since  it  is  a  hash.  We’ll 

see  if  this  component  gives  away  information  related  to  Ts  when  considered  along  with  V\  =  r*^1r)(1P,  in 
the  bilinear  map.  If  we  manage  to  get  r*ra  T^.a-zt  then  we  can  do  the  following  verification  test: 
check  e(r*rsJ2A  eT  Di,V 1)  =  e(rsE.4eT  Qi,Ppub )?  To  do  this,  any  user  who  suspects  that  the  set 
Tk  was  used  in  signing  of  the  message  will  only  need  to  check  if,  e(C4  +  y^(Pj  +  hi  E  Q  j ) ,  Ppub)  — 

i^k  AjGTi 

e(V,Vi  )/e(hk  E  Qj,PPub)- 

Aj&Tk 

We  will  now  show  that,  although  the  above  equality  is  valid  for  k  =  s,  it  is  equally  valid  for  any  of  the 
other  attribute  subsets  in  T  i.e  the  check  is  symmetric  with  respect  to  any  attribute  subset  and  hence  does 
not  reveal  anything  about  Ts.  To  see  that,  consider: 


Thus, 


Uk  +  y ^(Uj  +  hi  E  Qj)  —  Us  +  Ei^s(vri)  +  ^2(hi  E  Qj 

Ai&Tz  A.eTi 


i^k 


i^k 


+  Z)  Qj) 

lAs  i^k  AjeTi 


=  rs  ■  E  Qj  -  hk  E  Qj  +hs  E  Qj 

Aj&Ts  AjGTk  Aj  gr, 

=  (V0’-*“VQ“1  -hk  E  Qj 

Aj&Tk 


e{Uk  +  +  hj  E  Qj)jPpub) 

ijik  AjZTi 

=  e(V,V1)/e(hk  E  Qj,PPub) 

Aj&Tk 


This  proves  that  the  check  is  symmetric  with  all  attribute  subsets  in  T  =  (JT*  ,  VI  <  i  <  n' .  So,  the 
signature  components  are  independent  and  uniformly  distributed  irrespective  of  the  attribute  subset  being 
used.  Thus,  our  scheme  is  signer  attribute-set  anonymous  and  hence  satisfies  weak  signer  atribute  privacy. 


5  Conclusion 

5.1  Advantages  of  the  new  approach. 

Controlled  privacy.  The  proposed  threshold  scheme  has  a  new  property  that  we  can  call  controlled 
attribute  privacy  which  is  not  known  to  be  present  (to  the  best  of  the  our  knowledge)  in  any  of  the  previous 
threshold  attribute  based  signature  schemes.  This  is  a  feature  that  would  allow  the  signers  to  control  the 
privacy /anonymity  of  therir  attributes  even  if  the  signing  policy  is  not  determined  by  them.  We  will  illustrate 
this  feature  with  an  example.  Let  us  say  Alice  is  signing  a  document  which  wants  the  signer  to  satisfy  a 
threshold  predicate,  and  she  has  sufficient  attributes  to  satisfy  the  predicate.  Say,  one  of  the  attributes  of 
the  signing  policy  is  CIA  officer.  Now,  Alice  being  a  CIA  officer  among  other  things  wishes  to  highlight 
this  particular  fact  in  her  signature  (although  it  may  not  be  necessary).  She  can  choose  all  the  n'  attribute 
sets  {Tyhg-fy...  ,n'}  with  CIA  officer  being  one  of  the  attributes  in  each  of  these  sets.  By  doing  this,  she 
has  control  over  which  of  her  attributes  she  wants  to  reveal.  But  if  Alice  does  not  wish  to  reveal  anything 
about  her  credentials  except  that  they  satisfy  the  necessary  threshold,  then  she  will  have  to  give  all  the 
("  )  possible  sets.  If  on  the  other-hand,  Alice  is  completely  indifferent  about  revealing  all  of  her  attributes, 
then  she  can  give  a  signature  and  include  a  single  subset  of  attributes.  And  that  set  should  contain  just  the 
exact  set  of  attributes  used  in  the  signature  inorder  to  satisfy  the  given  policy.  Note  that  this  will  also  be  a 
constant  size  signature,  since  it  will  have  only  one  Tj  and  Ui. 
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Size-Privacy  balance.  The  power  that  this  feature  gives  is  that,  even  if  the  signing  policy  is  specified 
by  a  different  authority,  the  signer  can  choose  to  reveal  more  in  the  signature  than  what  other  schemes 
would  normally  allow.  In  a  way,  our  approach  allows  the  signer  control  over  the  signature  size  and  privacy, 
although  he/she  may  not  have  had  the  freedom  to  set  the  signing  policy.  If  a  signer  does  not  care  about 
privacy,  then  she  can  go  for  a  constant  size  signature.  On  the  other-hand  if  the  size  of  the  signature 
components  is  immaterial,  then  signer  can  choose  to  get  complete  privacy  by  choosing  all  the  subsets  of 
attributes  satisfying  the  policy  to  be  a  part  of  the  signature. 

Multi-level  threshold  attribute  based  signature.  We  believe  that  this  scheme  can  be  extended  to  a 
multi-level  threshold  attribute  based  signature  provided  each  attribute  is  present  only  once  in  the  predicate. 
However,  it  would  be  interesting  to  see  if  it  can  extended  for  a  general  multi-level  threshold  ABS. 

5.2  Summary. 

In  this  work  we  presented  a  new  approach  to  t-ABS  based  on  ring  signatures.  We  have  also  given  a  scheme 
and  shown  it  to  be  existentially  unforgeable  with  respect  to  chosen  attribute  and  message  attack  using  the 
random  oracle  model.  In  addition,  the  scheme  has  also  been  proved  to  provide  the  weak  signer  attribute 
privacy  property.  We  believe  that  this  new  approach  to  t-ABS  gives  the  signer  greater  power  to  control 
his/her  anonymity  even  if  (s)he  does  not  get  to  determine  the  signing  policy. 
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Appendix 


A  New  scheme’s  Sign  algorithm  correctness 


We  argue  here  that,  if  the  steps  of  the  algorithm  are  followed  without  deviation  then,  the  signature  given  is 
valid.  We  will  show  a  proof  of  the  correctness  mathematically.  Let’s  first  consider  e(Vo  ,  Vi): 

e(V0  ,  Vi)  =  e(r*D0  , 

=  e(r*rpP  ,  r*~1r^1P) 

=  e(P  ,  P) 

=  7 


Next  we  check  e(Vo  ,  V2): 


e(V0  ,  V2)  =  e{r*D0  ,  r*”1  D2) 
=  e(r*rpP  , 

=  e(P  ,  H3(u)) 


Now,  we  will  see  if  the  third  verification  is  also  valid,  i.e  Check  if, 

(W  \ 

e(Y  i  Vi)  =  e  I  +  hi  J2  Qj)  >  Ppub  I  is  correct  for  a  valid  signature.  We  look  at  the  L.H.S  and  the 


AiGTi 


R.H.S  components  separately  in  showing  the  proof. 
Consider  the  L.H.S: 


Now,  for  the  R.H.S: 


:(V,Vi )  =elr*(rs  +  hs)  ^  D^v^dA 
V  AieTs  ) 


=  e  (A  +  hs )  Di  ir/3lp) 

\  AidTs  / 

=  e  (rs  +  hs)  •  rp  ■  a  J2  Qi,r^lp 

\  Ai<ETs  ) 


—  c  I  (rs  +  hs)  •  Qi  ,  Ppub 

V  AiCiTa  , 


(1) 


A  hi  Qj)  j  Ppub 

Ki  =  l  Ai^Ti 

We’ll  consider  the  first  component  Y^{Ui  +  hi  ]>/  Qj)  and  simplify  it  before  we  compute  the  mapping. 


A.j  GTi 
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»  '  E  Qj)  =  Vc,  *  E  Qj 


2=1 


2=1  2=1 


a,gt, 


—  C  +  E  Ui  +  (fts  •  X]  Qj )  +  E  (^*  ■  E  Qj ) 


i=l;2^S 


A,GTa 


i=l;i^S 


a^gt. 


E  Qj )  —  (  E  Uj  +  (fet  E  Q. 


A.eT, 


i^s 


Aj  G  T; 


(/u  ■  E  Qj)  +  E  Uj  +  E  E  Qj) 

AieT=  t=l;t#s  t=l;t^s  A#^ 


E,  Qj)  -  E  E  (^-  .E  Qj) 

'  i=l;t^s  2=l;i^s 


A,  6T, 


A,GT; 


(hs  ■  E  Qj)  +  E  +  E  (^-  E  Qj) 


a,-gt, 


A-jETi 


=  (rs  +  /is)  •  X)  Qt 

Ai£Ts 


Using  the  above  we  get  R.H.S  to  be, 


(2) 


El(^  +  hi  E  Qj)  )  Ppub  ]  —  e  (  (rs  +  /l-s)  •  E  Qt  ,  Ppub 

:1  AjST,  /  \  A;GTa 


(3) 


Thus,  from  equations  0,(§  and  (|3j)  we  can  see  that  the  verification  holds  and  can  be  performed  using 
the  public  values. 


B  Sign  Oracle  Correctness 

We  will  show  the  proof  for  the  verification  of  the  signature  generated  by  the  oracle  while  showing  the  security 


of  the  scheme  (from  Section  4.1l. 

The  signature  components  generated  by  the  sign  oracle  are  as  follows: 


1.  V0  =  r*D0  =  r*~lrp,P, 

V2  =  r*~1D2  =  r*~1r^,1ff3(uj) 

2.  V  =  r*rpi  ■  z  ■  ( aP ) 

3.  For  i  e  {1,  ■  ■  ■  ,  n'}\s 

-  Sets  Ui  Gi 

-  Gets  hi  =  H4{m,  Uit  Th  V0,  VUV2) 


Ui  =  r*~1D1  =  r^Vr/P 


4.  us  =  zP-[  h's  •  E  qA-  [y^Ui  +  ihi  E  Qj) 

V  A^T°  J  \i*.  A^T' 

5.  V  =  r*~1rpiz(aP) 

6-  cr  =  {{Ti}i={i,...  ,  {C/i}i={i,...  ,  V  ,  Vo  ,  V4  ,  V2,  ,  u>} 

Now,  the  verification  has  to  satisfy  the  following  three  equations: 


e(Uo  ,  Vi)  =  7 
e(V0  ,  V2)  =  e(P,  H3(uj)) 

e(V  ,  Vi)  =  e  (  E(Ui  +  /ii  E  Q  y )  5  Ppub 


Aj  GTi 
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B.l  Verification  analysis 

Let’s  first  consider  e(y$  ,  V\)\ 

e(V0  ,  Vl)  =  e(D0  ,  D{]  =  e(rpP  ,  r/P)  =  e(P  ,  P)  =  7 

Similarly,  for  e(Vo  ,  V2): 

e(V0  ,  V2)  =  e(D0  ,  D2)  =  e{r*rpP  ,  r*_1r^1iL3(w))  =  e(P  ,  H3(uj )) 

/ 

Now,  we  will  see  if  e(V  ,  Vi)  =  e  I  VVt/;  +  hi  E  Qj)  >  Ppub  |  will  hold  true. 


Consider  the  L.H.S: 


Now,  for  the  R.H.S: 


(V  ,  Vi)  =  e  (rp>  ■  z  ■  ( aP )  ,  :p) 

=  e(«-(aP)  ,  P) 

=  e  {zP  ,  Ppub ) 


E1(A  +  ^  E  Qj)  ,  PpUb 

:  1  -LeT 


Let’s  just  consider  the  first  component: 

n'  n'  n' 

^(Ui  +  hi  E  Qi)  =  Ec/*  +  E^-  E  Qj) 


i=l 


i— 1  z=l 


Ai-eTi 


—  Us+  E  A  +  A's  ■  E  Qj)  +  E  '  E  Qj) 


z=l;i^s 


Aj-eT, 


=  AjGTi 


=  zP-[  h's  •  Em  Qj )  -  (  E  A  +  ,E  Qj) 


AjGTs 


AiGTi 


(h's-  E  Qj)  +  E  A  +  E  A*'  ,E  Qj) 

2=1;Z^S  i=l;z^s 


a7gts 


A,-eT» 


=  zP 


(4) 


Thus,  R.H.S  also  reduces  to, 

e  (  E^  +  hi  E  Qj)  .  -Ppub  )  =  e(zP,  Pp„b) 

\i=i  ^6T‘  / 

From  equations  (§  and  ([6])  we  can  see  that  the  verihcation  holds  for  the  constructed  signature. 


(5) 


(6) 


Correctness  of  Solving  CBDH  After  using  the  forking  lemma  (refer  Section  4.1),  let  us  say  we  have 
two  signatures  a  and  o'  which  have  the  following  components: 


V  =  rl(rs  +  hs)  E  A 

AieTs 

V2  =  rl~lrp-T1wcP 


V'  =  r*2(rs  +  K)  E  A 

Ai£Ts 

V'2  =  r2~1rp2~1wcP 


V  =  r*rPi(rs  +  h„)(a  E  Q*) 

AieTs 

=  r*rPx(rs  +  hs){ab{  E  si)P) 

AieTs 

Wi  =  e(V,  Vi) 

{r,+hB)(ab(  £  s;))(i vc) 

=  e(P,P)  A*ers 


Xi  =  W“  =7 


Va+bs)(abcy;  Si) 


(7) 
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Similarly,  set  W2  =  e(V',V'2 )  and  get  X2  as  follows: 


Now,  we  do  the  following, 


x2  =  W™  1  =  7(rs+^)(abc£s;) 


Y \  —  -  —  ry (ha-hfa)(al>cJ2  Si) 

X2  1 

Y  =  Y^h"~h's^  1=:y(abc^Sd 
Z  =  (Y)(5>-)-1  =  7abc  =  e(P,  P)abc 


(8) 
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